Example 41 with Scope
use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.
the class PolicyEvaluationResponseBuilder method toRepresentation.
private static PolicyEvaluationResponse.PolicyResultRepresentation toRepresentation(Result.PolicyResult result, AuthorizationProvider authorization) {
PolicyEvaluationResponse.PolicyResultRepresentation policyResultRep = new PolicyEvaluationResponse.PolicyResultRepresentation();
PolicyRepresentation representation = new PolicyRepresentation();
Policy policy = result.getPolicy();
representation.setId(policy.getId());
representation.setName(policy.getName());
representation.setType(policy.getType());
representation.setDecisionStrategy(policy.getDecisionStrategy());
representation.setDescription(policy.getDescription());
if ("uma".equals(representation.getType())) {
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.POLICY_ID, policy.getId());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, policy.getResourceServer().getId(), -1, 1);
if (!tickets.isEmpty()) {
KeycloakSession keycloakSession = authorization.getKeycloakSession();
RealmModel realm = authorization.getRealm();
PermissionTicket ticket = tickets.get(0);
UserModel userOwner = keycloakSession.users().getUserById(realm, ticket.getOwner());
UserModel requester = keycloakSession.users().getUserById(realm, ticket.getRequester());
String resourceOwner;
if (userOwner != null) {
resourceOwner = getUserEmailOrUserName(userOwner);
} else {
ClientModel clientOwner = realm.getClientById(ticket.getOwner());
resourceOwner = clientOwner.getClientId();
}
representation.setDescription("Resource owner (" + resourceOwner + ") grants access to " + getUserEmailOrUserName(requester));
} else {
String description = representation.getDescription();
if (description != null) {
representation.setDescription(description + " (User-Managed Policy)");
} else {
representation.setDescription("User-Managed Policy");
}
}
}
representation.setResources(policy.getResources().stream().map(resource -> resource.getName()).collect(Collectors.toSet()));
Set<String> scopeNames = policy.getScopes().stream().map(scope -> scope.getName()).collect(Collectors.toSet());
representation.setScopes(scopeNames);
policyResultRep.setPolicy(representation);
if (result.getEffect() == Decision.Effect.DENY) {
policyResultRep.setStatus(DecisionEffect.DENY);
policyResultRep.setScopes(representation.getScopes());
} else {
policyResultRep.setStatus(DecisionEffect.PERMIT);
}
policyResultRep.setAssociatedPolicies(result.getAssociatedPolicies().stream().map(policy1 -> toRepresentation(policy1, authorization)).collect(Collectors.toList()));
return policyResultRep;
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
ClientModel(org.keycloak.models.ClientModel)
Scope(org.keycloak.authorization.model.Scope)
ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)
Arrays(java.util.Arrays)
PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation)
HashMap(java.util.HashMap)
Function(java.util.function.Function)
PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
ArrayList(java.util.ArrayList)
PolicyEvaluationService(org.keycloak.authorization.admin.PolicyEvaluationService)
UserModel(org.keycloak.models.UserModel)
AccessToken(org.keycloak.representations.AccessToken)
Map(java.util.Map)
ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
RealmModel(org.keycloak.models.RealmModel)
EnumMap(java.util.EnumMap)
Collection(java.util.Collection)
KeycloakSession(org.keycloak.models.KeycloakSession)
Set(java.util.Set)
Decision(org.keycloak.authorization.Decision)
Collectors(java.util.stream.Collectors)
KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity)
Policy(org.keycloak.authorization.model.Policy)
List(java.util.List)
Stream(java.util.stream.Stream)
Result(org.keycloak.authorization.policy.evaluation.Result)
PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse)
DecisionEffect(org.keycloak.representations.idm.authorization.DecisionEffect)
Comparator(java.util.Comparator)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation)
PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation)
RealmModel(org.keycloak.models.RealmModel)
UserModel(org.keycloak.models.UserModel)
ClientModel(org.keycloak.models.ClientModel)
KeycloakSession(org.keycloak.models.KeycloakSession)
PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse)
PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation)
EnumMap(java.util.EnumMap)
Example 42 with Scope
use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.
the class AuthorizationTokenService method resolveScopePermissions.
private void resolveScopePermissions(KeycloakAuthorizationRequest request, ResourceServer resourceServer, AuthorizationProvider authorization, Map<String, ResourcePermission> permissionsToEvaluate, ResourceStore resourceStore, AtomicInteger limit, Set<Scope> requestedScopesModel) {
AtomicBoolean processed = new AtomicBoolean();
resourceStore.findByScope(requestedScopesModel.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource -> {
if (limit != null && limit.get() <= 0) {
return;
}
ResourcePermission perm = permissionsToEvaluate.get(resource.getId());
if (perm == null) {
perm = Permissions.createResourcePermissions(resource, resourceServer, requestedScopesModel, authorization, request);
permissionsToEvaluate.put(resource.getId(), perm);
if (limit != null) {
limit.decrementAndGet();
}
} else {
for (Scope scope : requestedScopesModel) {
perm.addScope(scope);
}
}
processed.compareAndSet(false, true);
});
if (!processed.get()) {
for (Scope scope : requestedScopesModel) {
if (limit != null && limit.getAndDecrement() <= 0) {
break;
}
permissionsToEvaluate.computeIfAbsent(scope.getId(), s -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer, request.getClaims()));
}
}
}
Also used :
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
Scope(org.keycloak.authorization.model.Scope)
ArrayList(java.util.ArrayList)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Example 43 with Scope
use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.
the class AuthorizationTokenService method resolveResourcePermission.
private void resolveResourcePermission(KeycloakAuthorizationRequest request, ResourceServer resourceServer, KeycloakIdentity identity, AuthorizationProvider authorization, StoreFactory storeFactory, Map<String, ResourcePermission> permissionsToEvaluate, ResourceStore resourceStore, AtomicInteger limit, Permission permission, Set<Scope> requestedScopesModel, String resourceId) {
Resource resource;
if (resourceId.indexOf('-') != -1) {
resource = resourceStore.findById(resourceId, resourceServer.getId());
} else {
resource = null;
}
if (resource != null) {
addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource);
} else if (resourceId.startsWith("resource-type:")) {
// only resource types, no resource instances. resource types are owned by the resource server
String resourceType = resourceId.substring("resource-type:".length());
resourceStore.findByType(resourceType, resourceServer.getId(), resourceServer.getId(), resource1 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource1));
} else if (resourceId.startsWith("resource-type-any:")) {
// any resource with a given type
String resourceType = resourceId.substring("resource-type-any:".length());
resourceStore.findByType(resourceType, null, resourceServer.getId(), resource12 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource12));
} else if (resourceId.startsWith("resource-type-instance:")) {
// only resource instances with a given type
String resourceType = resourceId.substring("resource-type-instance:".length());
resourceStore.findByTypeInstance(resourceType, resourceServer.getId(), resource13 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource13));
} else if (resourceId.startsWith("resource-type-owner:")) {
// only resources where the current identity is the owner
String resourceType = resourceId.substring("resource-type-owner:".length());
resourceStore.findByType(resourceType, identity.getId(), resourceServer.getId(), resource14 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource14));
} else {
Resource ownerResource = resourceStore.findByName(resourceId, identity.getId(), resourceServer.getId());
if (ownerResource != null) {
permission.setResourceId(ownerResource.getId());
addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, ownerResource);
}
if (!identity.isResourceServer() || !identity.getId().equals(resourceServer.getId())) {
List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().findGranted(resourceId, identity.getId(), resourceServer.getId());
if (!tickets.isEmpty()) {
List<Scope> scopes = new ArrayList<>();
Resource grantedResource = null;
for (PermissionTicket permissionTicket : tickets) {
if (grantedResource == null) {
grantedResource = permissionTicket.getResource();
}
scopes.add(permissionTicket.getScope());
}
requestedScopesModel.retainAll(scopes);
ResourcePermission resourcePermission = addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, grantedResource);
// the permission is explicitly granted by the owner, mark this permission as granted so that we don't run the evaluation engine on it
resourcePermission.setGranted(true);
}
Resource serverResource = resourceStore.findByName(resourceId, resourceServer.getId());
if (serverResource != null) {
permission.setResourceId(serverResource.getId());
addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, serverResource);
}
}
}
if (permissionsToEvaluate.isEmpty()) {
CorsErrorResponseException invalidResourceException = new CorsErrorResponseException(request.getCors(), "invalid_resource", "Resource with id [" + resourceId + "] does not exist.", Status.BAD_REQUEST);
fireErrorEvent(request.getEvent(), Errors.INVALID_REQUEST, invalidResourceException);
throw invalidResourceException;
}
}
Also used :
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Arrays(java.util.Arrays)
Tokens(org.keycloak.authorization.util.Tokens)
UserSessionProvider(org.keycloak.models.UserSessionProvider)
DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext)
BiFunction(java.util.function.BiFunction)
Permissions(org.keycloak.authorization.permission.Permissions)
PermissionTicketAwareDecisionResultCollector(org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector)
AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager)
Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata)
MediaType(javax.ws.rs.core.MediaType)
OAuthErrorException(org.keycloak.OAuthErrorException)
AuthenticationManager(org.keycloak.services.managers.AuthenticationManager)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
AccessToken(org.keycloak.representations.AccessToken)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
Map(java.util.Map)
ClientConnection(org.keycloak.common.ClientConnection)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel)
RealmModel(org.keycloak.models.RealmModel)
Collection(java.util.Collection)
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
Set(java.util.Set)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
Collectors(java.util.stream.Collectors)
IDToken(org.keycloak.representations.IDToken)
KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity)
Objects(java.util.Objects)
List(java.util.List)
ScopeStore(org.keycloak.authorization.store.ScopeStore)
ServiceAccountConstants(org.keycloak.common.constants.ServiceAccountConstants)
Response(javax.ws.rs.core.Response)
Details(org.keycloak.events.Details)
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)
Entry(java.util.Map.Entry)
OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol)
ClientModel(org.keycloak.models.ClientModel)
Scope(org.keycloak.authorization.model.Scope)
KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils)
Permission(org.keycloak.representations.idm.authorization.Permission)
Logger(org.jboss.logging.Logger)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
HashMap(java.util.HashMap)
RefreshToken(org.keycloak.representations.RefreshToken)
TokenManager(org.keycloak.protocol.oidc.TokenManager)
HttpMethod(javax.ws.rs.HttpMethod)
ArrayList(java.util.ArrayList)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
HashSet(java.util.HashSet)
LinkedHashMap(java.util.LinkedHashMap)
UserModel(org.keycloak.models.UserModel)
ClientSessionContext(org.keycloak.models.ClientSessionContext)
EventBuilder(org.keycloak.events.EventBuilder)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
PermissionTicketToken(org.keycloak.representations.idm.authorization.PermissionTicketToken)
Cors(org.keycloak.services.resources.Cors)
Status(javax.ws.rs.core.Response.Status)
Base64Url(org.keycloak.common.util.Base64Url)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
Errors(org.keycloak.events.Errors)
Authorization(org.keycloak.representations.AccessToken.Authorization)
KeycloakSession(org.keycloak.models.KeycloakSession)
HttpRequest(org.jboss.resteasy.spi.HttpRequest)
UserSessionModel(org.keycloak.models.UserSessionModel)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
JsonSerialization(org.keycloak.util.JsonSerialization)
EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext)
ResourceServerStore(org.keycloak.authorization.store.ResourceServerStore)
Urls(org.keycloak.services.Urls)
AccessTokenResponseBuilder(org.keycloak.protocol.oidc.TokenManager.AccessTokenResponseBuilder)
Resource(org.keycloak.authorization.model.Resource)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
Scope(org.keycloak.authorization.model.Scope)
Resource(org.keycloak.authorization.model.Resource)
ArrayList(java.util.ArrayList)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Example 44 with Scope
use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.
the class AuthorizationTokenService method createPermissions.
private Collection<ResourcePermission> createPermissions(PermissionTicketToken ticket, KeycloakAuthorizationRequest request, ResourceServer resourceServer, AuthorizationProvider authorization, EvaluationContext context) {
KeycloakIdentity identity = (KeycloakIdentity) context.getIdentity();
StoreFactory storeFactory = authorization.getStoreFactory();
Map<String, ResourcePermission> permissionsToEvaluate = new LinkedHashMap<>();
ResourceStore resourceStore = storeFactory.getResourceStore();
ScopeStore scopeStore = storeFactory.getScopeStore();
Metadata metadata = request.getMetadata();
final AtomicInteger limit = metadata != null && metadata.getLimit() != null ? new AtomicInteger(metadata.getLimit()) : null;
for (Permission permission : ticket.getPermissions()) {
if (limit != null && limit.get() <= 0) {
break;
}
Set<Scope> requestedScopesModel = resolveRequestedScopes(request, resourceServer, scopeStore, permission);
String resourceId = permission.getResourceId();
if (resourceId != null) {
resolveResourcePermission(request, resourceServer, identity, authorization, storeFactory, permissionsToEvaluate, resourceStore, limit, permission, requestedScopesModel, resourceId);
} else {
resolveScopePermissions(request, resourceServer, authorization, permissionsToEvaluate, resourceStore, limit, requestedScopesModel);
}
}
resolvePreviousGrantedPermissions(ticket, request, resourceServer, permissionsToEvaluate, resourceStore, scopeStore, limit);
return permissionsToEvaluate.values();
}
Also used :
Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata)
ScopeStore(org.keycloak.authorization.store.ScopeStore)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
LinkedHashMap(java.util.LinkedHashMap)
Scope(org.keycloak.authorization.model.Scope)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Permission(org.keycloak.representations.idm.authorization.Permission)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Example 45 with Scope
use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.
the class PermissionTicketService method create.
@POST
@Consumes("application/json")
@Produces("application/json")
public Response create(PermissionTicketRepresentation representation) {
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
if (representation == null)
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_permission", Response.Status.BAD_REQUEST);
if (representation.getId() != null)
throw new ErrorResponseException("invalid_permission", "created permissions should not have id", Response.Status.BAD_REQUEST);
if (representation.getResource() == null)
throw new ErrorResponseException("invalid_permission", "created permissions should have resource", Response.Status.BAD_REQUEST);
if (representation.getScope() == null && representation.getScopeName() == null)
throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST);
if (representation.getRequester() == null && representation.getRequesterName() == null)
throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore();
Resource resource = rstore.findById(representation.getResource(), resourceServer.getId());
if (resource == null)
throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
if (!resource.getOwner().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
UserModel user = null;
if (representation.getRequester() != null)
user = this.authorization.getKeycloakSession().userStorageManager().getUserById(this.authorization.getRealm(), representation.getRequester());
else
user = this.authorization.getKeycloakSession().userStorageManager().getUserByUsername(this.authorization.getRealm(), representation.getRequesterName());
if (user == null)
throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST);
Scope scope = null;
ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore();
if (representation.getScopeName() != null)
scope = sstore.findByName(representation.getScopeName(), resourceServer.getId());
else
scope = sstore.findById(representation.getScope(), resourceServer.getId());
if (scope == null && representation.getScope() != null)
throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScope() + "] is invalid", Response.Status.BAD_REQUEST);
if (scope == null && representation.getScopeName() != null)
throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScopeName() + "] is invalid", Response.Status.BAD_REQUEST);
boolean match = resource.getScopes().contains(scope);
if (!match)
throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not have Scope [" + scope.getName() + "]", Response.Status.BAD_REQUEST);
Map<PermissionTicket.FilterOption, String> attributes = new EnumMap<>(PermissionTicket.FilterOption.class);
attributes.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
attributes.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
attributes.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty())
throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer);
if (representation.isGranted())
ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis());
representation = ModelToRepresentation.toRepresentation(ticket, authorization);
return Response.ok(representation).build();
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
Resource(org.keycloak.authorization.model.Resource)
ScopeStore(org.keycloak.authorization.store.ScopeStore)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
UserModel(org.keycloak.models.UserModel)
Scope(org.keycloak.authorization.model.Scope)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
EnumMap(java.util.EnumMap)
POST(javax.ws.rs.POST)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
Aggregations
Scope (org.keycloak.authorization.model.Scope)65
Resource (org.keycloak.authorization.model.Resource)43
ResourceServer (org.keycloak.authorization.model.ResourceServer)39
Policy (org.keycloak.authorization.model.Policy)38
StoreFactory (org.keycloak.authorization.store.StoreFactory)21
HashSet (java.util.HashSet)19
AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)19
ArrayList (java.util.ArrayList)18
List (java.util.List)17
ClientModel (org.keycloak.models.ClientModel)17
Map (java.util.Map)16
EnumMap (java.util.EnumMap)14
Collectors (java.util.stream.Collectors)14
PolicyStore (org.keycloak.authorization.store.PolicyStore)14
Collection (java.util.Collection)13
Set (java.util.Set)13
UserModel (org.keycloak.models.UserModel)13
Produces (javax.ws.rs.Produces)12
ResourceStore (org.keycloak.authorization.store.ResourceStore)12
KeycloakSession (org.keycloak.models.KeycloakSession)12
